svn commit: r293314 - in stable/10/sys: kern sys

[Mateusz Guzik]

Author: mjg
Date: Thu Jan  7 12:08:15 2016
New Revision: 293314
URL: https://svnweb.freebsd.org/changeset/base/293314

Log:
  MFC r292440:
  
  proc: fix a race which could result in dereference of bad p_pgrp pointer on
  fork
  
  During fork p_starcopy - p_endcopy area of a process is populated with bcopy
  with only proc lock held. Another forking thread can find such a process and
  proceed to access p_pgrp included in said area.
  
  Fix the problem by moving the field outside. It is being properly assigned
  later.

Modified:
  stable/10/sys/kern/kern_proc.c
  stable/10/sys/sys/proc.h

Modified: stable/10/sys/kern/kern_proc.c
==============================================================================
--- stable/10/sys/kern/kern_proc.c      Thu Jan  7 11:54:20 2016        
(r293313)
+++ stable/10/sys/kern/kern_proc.c      Thu Jan  7 12:08:15 2016        
(r293314)
@@ -234,6 +234,7 @@ proc_init(void *mem, int size, int flags
        TAILQ_INIT(&p->p_threads);           /* all threads in proc */
        EVENTHANDLER_INVOKE(process_init, p);
        p->p_stats = pstats_alloc();
+       p->p_pgrp = NULL;
        SDT_PROBE3(proc, kernel, init, return, p, size, flags);
        return (0);
 }

Modified: stable/10/sys/sys/proc.h
==============================================================================
--- stable/10/sys/sys/proc.h    Thu Jan  7 11:54:20 2016        (r293313)
+++ stable/10/sys/sys/proc.h    Thu Jan  7 12:08:15 2016        (r293314)
@@ -558,7 +558,7 @@ struct proc {
        int             p_osrel;        /* (x) osreldate for the
                                               binary (from ELF note, if any) */
        char            p_comm[MAXCOMLEN + 1];  /* (b) Process name. */
-       struct pgrp     *p_pgrp;        /* (c + e) Pointer to process group. */
+       void            *p_pad0;
        struct sysentvec *p_sysent;     /* (b) Syscall dispatch info. */
        struct pargs    *p_args;        /* (c) Process arguments. */
        rlim_t          p_cpulimit;     /* (c) Current CPU limit in seconds. */
@@ -604,6 +604,7 @@ struct proc {
        pid_t           p_reapsubtree;  /* (e) Pid of the direct child of the
                                               reaper which spawned
                                               our subtree. */
+       struct pgrp     *p_pgrp;        /* (c + e) Pointer to process group. */
 };
 
 #define        p_session       p_pgrp->pg_session
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"